Cybersecurity experts are raising alarms about a widespread vulnerability affecting thousands of servers utilizing the Prometheus monitoring and alerting toolkit. These exposed systems are susceptible to data leakage, denial-of-service (DoS) disruptions, and even remote code execution (RCE) exploits.
“Prometheus servers and exporters, often devoid of sufficient authentication safeguards, allow attackers to effortlessly extract critical information such as credentials and API keys,” disclosed Aqua security researchers Yakir Kadkoda and Assaf Morag in a newly published report shared with The Hacker News.
The cloud security firm also highlighted that publicly exposed “/debug/pprof” endpoints—intended for assessing heap memory usage, CPU consumption, and similar metrics—could become vectors for crippling DoS attacks, rendering these systems incapacitated.
Approximately 296,000 Prometheus Node Exporter instances and 40,300 Prometheus servers are currently estimated to be openly accessible via the internet. This vast digital footprint presents an enticing target for threat actors, putting both data and operational integrity at significant risk.
The issue of sensitive data exposure through internet-facing Prometheus servers, including credentials, authentication tokens, and API keys, is not new. Earlier studies by JFrog in 2021 and Sysdig in 2022 documented similar risks.
“Unauthenticated Prometheus instances permit direct interrogation of internal datasets, potentially revealing secrets that attackers can exploit to infiltrate organizations,” the researchers warned.
Moreover, the “/metrics” endpoint poses another danger, as it divulges internal API endpoints, subdomain details, Docker registries, and image information. This trove of reconnaissance data could empower attackers to deepen their network intrusions.
But the risks don’t end there. Adversaries can flood endpoints such as “/debug/pprof/heap” with concurrent requests, initiating CPU- and memory-intensive profiling operations that could overwhelm servers and force them to crash.
Aqua Security further spotlighted a supply chain vulnerability linked to repojacking. This method exploits the names of deleted or renamed GitHub repositories to deploy malicious third-party exporters. The researchers identified eight exporters listed in Prometheus’ official documentation as susceptible to repojacking. Attackers could recreate exporters using identical names, hosting malicious versions. Fortunately, these vulnerabilities were rectified by the Prometheus security team in September 2024.
“Users relying on the documentation might inadvertently clone and deploy these rogue exporters, potentially leading to remote code execution on their systems,” the researchers cautioned.
To mitigate these risks, organizations should adopt robust security measures, including enforcing strong authentication mechanisms for Prometheus servers and exporters, curtailing public exposure, scrutinizing “/debug/pprof” endpoints for abnormal activities, and proactively safeguarding against repojacking threats.